Follow-Up Information Security Inspection at the VA Financial Services Center in Austin, Texas

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Financial Services Center (FSC) in Austin, Texas, as a follow-up to a 2021 inspection.

The OIG focused on three control areas it determined to be at highest risk: configuration management, security management, and access controls. The OIG identified four deficiencies in configuration management controls, one in security management controls, and two in access controls; three of the deficiencies were seen during the 2021 inspection. The configuration management deficiencies were in vulnerability management and flaw remediation, database scans, database baseline configurations, and unsupported components. The FSC’s vulnerability management controls did not identify all network weaknesses. Additionally, operating systems were not supported by the vendor and security patches were missing. Evidence of scans for the FSC’s databases was not provided, and databases had vulnerabilities caused by configurations that deviated from an established baseline. Eighteen network switches were using operating systems that did not meet baseline security requirements, and six were not supported by the vendor. The FSC’s security management controls were found deficient in the monitoring of component inventory with a significant disparity between the number of devices on the network and those identified in the cybersecurity management service. The FSC’s deficiencies in access controls were in monitoring inappropriate or unusual activity and reviewing physical access logs.

The OIG made eight recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the FSC. Four of these were also recommendations in the 2021 inspection.